{
	"id": "4f0b841c-6d79-4547-9b58-b8f9fac378d6",
	"created_at": "2026-04-06T00:12:16.675873Z",
	"updated_at": "2026-04-10T13:13:01.710143Z",
	"deleted_at": null,
	"sha1_hash": "f1fb59ad3f8839388834b1eff7209113b4d92847",
	"title": "Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2784388,
	"plain_text": "Operation ElectroRAT: Attacker Creates Fake Companies to Drain\r\nYour Crypto Wallets\r\nBy Avigayil Mechtinger\r\nPublished: 2021-01-05 · Archived: 2026-04-05 16:45:27 UTC\r\nAlready with thousands of victims.\r\nIntro\r\nWith Bitcoin on the rise and a market exceeding billions of dollars, cryptocurrency has attracted threat actors\r\nwishing to leverage these capitals for their own financial gain.\r\nIn December, we discovered a wide-ranging operation targeting cryptocurrency users, estimated to have initiated\r\nin January 2020. This extensive operation is composed of a full-fledged marketing campaign, custom\r\ncryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch.\r\nThe campaign includes: Domain registrations, websites, trojanized applications, fake social media accounts and a\r\nnew undetected remote access trojan that we have named ElectroRAT. ElectroRAT is written in Golang and\r\ncompiled to target multiple operating systems: Windows, Linux and MacOS.\r\nIt is rather common to see various information stealers trying to collect private keys to access victims’ wallets.\r\nHowever, it is rare to see tools written from scratch and used to target multiple operating systems for these\r\npurposes.\r\nThe attacker behind this operation has lured cryptocurrency users to download trojanized applications by\r\npromoting them in dedicated online forums and on social media. We estimate this campaign has already infected\r\nthousands of victims—based on the number of unique visitors to the pastebin pages used to locate the command\r\nand control servers.\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 1 of 13\n\nThe Operation\r\nThe attacker has created three different trojanized applications, each with a Windows, Linux and Mac version. The\r\nbinaries are hosted on websites built specifically for this campaign.\r\nThese applications are directly related to cryptocurrency. “Jamm” and “eTrade” are cryptocurrency trade\r\nmanagement applications and “DaoPoker” is a cryptocurrency poker app. Figures 1 and 2 are the homepages of\r\nthe “Jamm” and “eTrade” websites. Figure 3 shows what the “eTrade” application looks like once it runs on an\r\nUbuntu desktop.\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 2 of 13\n\nFigure 1: “Kintum” homepage which hosts eTrade’s Windows, Linux and MacOS trojans\r\nFigure 2: “Jamm” homepage which hosts Jamm’s Windows, Linux and MacOS trojans\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 3 of 13\n\nFigure 3: eTrade (Kintum) application on Ubuntu desktop\r\nThese applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and\r\nSteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web\r\npages, where they could download the application without knowing they were actually installing malware. Figures\r\n4 and 5 are examples of the promotions posted in these forums.\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 4 of 13\n\nFigure 4: The user “anri.rixardinh” posting in a Chinese Hive forum in PeakD promoting “eTrade” application\r\nFigure 5: “Jamm” application promoted in bitcointalk forum\r\nThe attacker went the extra mile to create Twitter and Telegram personas for the “DaoPoker” application, in\r\naddition to paying a social media influencer for advertisement. Figure 6 shows the DaoPoker Twitter page. Figure\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 5 of 13\n\n7 shows eTrade promoted by a social media advertiser with over 25K followers on Twitter.\r\nFigure 6: DaoPoker’s Twitter page\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 6 of 13\n\nFigure 7: eTrade (Kintum) promoted via a social media advertiser on Twitter\r\nVictims of the Operation\r\nAs part of its behavioral flow, ElectroRAT contacts raw pastebin pages to retrieve the C\u0026C IP address. The\r\npastebin pages are published by the same user called “Execmac”. Browsing the user’s page, we have more\r\nvisibility into the number of victims subject to this campaign. In Figure 8, we can see that the amount of unique\r\nvisitors to the user’s pastes is approximately 6.5K [at the time of this writing]. We can also see the first pastebin\r\npages were posted on January 8 2020, which indicates the operation has been active for at least a year.\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 7 of 13\n\nFigure 8: https[:]//pastebin[.]com/u/execmac pastebin page\r\nWe also saw evidence of victims who were compromised by these applications commenting on posts related to\r\nMetaMask. See Figures 9 and 10.\r\nFigure 9: A user commenting on a MetaMask Tweet\r\nFigure 10: A user alerting on DaoPoker\r\nOpening a Can of Stealers\r\nThe above-mentioned pastebin page reveals more insights. Other pastes published by the same user contain C\u0026Cs\r\ndirectly tied to Amadey and KPOT. These malware are stealers mainly purchased on the Dark Web as off-the-shelf\r\nmalware. ElectroRAT shares similar functionalities to these well-known trojans, however, it’s written from scratch\r\nin Golang. We assume a reason for this is to target multiple operating systems, since Golang is incredibly efficient\r\nfor multi-platform use. Writing the malware from scratch has also allowed the campaign to fly under the radar for\r\nalmost a year by evading all Antivirus detections.\r\nTechnical Analysis\r\nJamm, DaoPoker and eTrade were built using Electron, an app building platform. ElectroRAT is embedded inside\r\neach application. Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 8 of 13\n\nthe background as “mdworker”. Figure 3 above shows eTrade app GUI upon runtime on an infected Ubuntu\r\ndesktop machine. Figure 11 shows what the infection looks like behind the scenes using Intezer’s Cloud Workload\r\nProtection Platform, Intezer Protect.\r\nFigure 11: ElectroRAT alert in Intezer Protect\r\nThe trojanized application and the ElectroRAT binaries are either low detected or completely undetected in\r\nVirusTotal at the time of this writing. Figure 12 shows the signed DaoPoker application’s detection rate in\r\nVirusTotal.\r\nFigure 12: DaoPoker application in VirusTotal (2c35bfabc6f441a90c8cc584e834eb59)\r\nElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading\r\nfiles from disk, downloading files and executing commands on the victim’s console. The malware has similar\r\ncapabilities for its Windows, Linux and MacOS variants.\r\nFor more technical information, browse the following Tweet:\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 9 of 13\n\nDetection \u0026 Response\r\nDetect if a Machine in Your Network Has Been Compromised\r\nYou can quickly detect if your machine, or a machine in your network, has been compromised by malware using\r\nIntezer Protect and Intezer Analyze Endpoint Scanner:\r\nLinux Machines\r\nLinux threats are on the rise. Use Intezer Protect to gain full runtime visibility over the code in your Linux-based\r\nsystems and get alerted on any malicious or unauthorized code. We have a free community edition.\r\nFigure 10 above emphasizes an Intezer Protect alert on a compromised machine. The alert provides you with full\r\ncontext about the malicious code including threat classification, binary’s path on the disk, process tree, command\r\nand hash.\r\nWindows Machines\r\nRunning Intezer’s Endpoint Scanner will provide you with visibility into the type and origin of all binary code that\r\nresides in your machine’s memory. Figure 13 shows an example of an endpoint infected with ElectroRAT.\r\nFigure 13: Endpoint infected with ElectroRAT\r\nResponse\r\nIf you were, or suspect that you are a victim of this scam, take the following steps:\r\n1. Kill the process and delete all files related to the malware.\r\n2. Make sure your machine is clean and running 100% trusted code using Intezer’s tools mentioned above.\r\n3. Move your funds to a new wallet.\r\n4. Change all of your passwords.\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 10 of 13\n\nYou can also run this YARA rule against in-memory artifacts to detect ElectroRAT.\r\nWrap-Up\r\nIt is very uncommon to see a RAT written from scratch and used to steal personal information from\r\ncryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various\r\ncomponents such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.\r\nElectroRAT is the latest example of attackers using Golang to develop multi-platform malware. We touched upon\r\nthis trend in the Top Linux Cloud Threats of 2020.\r\nElectroRAT’s PE and ELF versions are indexed in Intezer Analyze so that you can quickly classify any samples\r\nthat are genetically similar.\r\nIoCs\r\nC\u0026C\r\n193[.]38[.]55[.]131\r\n193[.]38[.]55[.]4\r\n213[.]226[.]100[.]140\r\nkintum[.]io\r\ndaopoker[.]com\r\njamm[.]to\r\npastebin.com/raw/r12wBrC7\r\npastebin.com/raw/DF8Gikrk\r\npastebin.com/raw/bfQiiqyv\r\npastebin.com/raw/UbTZx6kd\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 11 of 13\n\npastebin.com/raw/U45SvK4K\r\npastebin.com/raw/zrZA4L3e\r\nElectroRAT\r\nWindows\r\n170cb5ea1a6b4af3c27358ba267a1309ed5118481619fc874f717262cb91fb77\r\n881be95a9632fa44deeeca23e4e19390d600ad817b2f66671d3f21453a16c7b7\r\n41ad7a6b8c410738ea8e826e503ec9bdd222a490db097b643cd94bbd62a12276\r\na4a68a51ed0a6ecf9146f75d405e50cfc58473d20220915b489b5fece03c4f55\r\nddd15dcc89416a61001c10ed9002df854fb4d92089e5388264b8af02654c778e\r\n568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb\r\n2ad12f75695ec4f63d7b35a79d118d7ed2eccc42f9cfa8fb75ec738f86f6ab99\r\n13ac090fa99b1dce7f45e4aed07a0359b73815fc38dbe02bf976e088060990a8\r\nda7c4975d75ffe17d6ff1352e239c6841d4b1523f9ea43c8124d732c48dfabba\r\n1416f8c40663d51191e8bd03c885e1f4f1c6b7c63d3068721bf386d621783917\r\nc1aaf691608f1f2a0517e2c57cc4c6ff4e46d3ae1b592e939a0bc9b89a3a04cf\r\ncf77727aa2cfcd3d6dd85cb492ddee28ff9191def60a9e00ea08ccddf817d143\r\na32ef780ba235f8222c05302f7537b4123c41b048449c6ec8744d64103d428a3\r\nLinux\r\ne9b83d5cdefd4486b32a927d7505cdeebb43e6977759ba069d9373e46ca7d0f2\r\ne547872761d81c3afc9c2a42cac3931e2a1defc2c56a0a3c57b28ea91e7686cd\r\nMacOS\r\n17b0b1a9271683f30e5bfd92eec9c0a917755f54060ef40d9bd0f12e927f540f\r\n5c884be3635eb55ce02e141d6fb07f760b6dbcace54f2217c69f287292ce59f6\r\nKPOT Stealer\r\nf33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060\r\n2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6\r\n587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff\r\nadeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e\r\ndd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9\r\nAmadey\r\n279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d\r\n18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0\r\n5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 12 of 13\n\nSource: https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/"
	],
	"report_names": [
		"operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets"
	],
	"threat_actors": [],
	"ts_created_at": 1775434336,
	"ts_updated_at": 1775826781,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1fb59ad3f8839388834b1eff7209113b4d92847.pdf",
		"text": "https://archive.orkl.eu/f1fb59ad3f8839388834b1eff7209113b4d92847.txt",
		"img": "https://archive.orkl.eu/f1fb59ad3f8839388834b1eff7209113b4d92847.jpg"
	}
}